Homomorphic encryption

ABSTRACT

Systems, methods, and computer-readable storage devices storing instructions for homomorphic encryption via finite ring isomorphisms are provided. An example method includes selecting a polynomial f(x) of exact degree n with small coefficients in a ring F q [x] and selecting a polynomial h(y) of exact degree n in a ring F q [y]. The method includes constructing an isomorphism from the ring F q [x]/(f(x)) to the ring F q [y]/(h(y)) and constructing an inverse isomorphism from the ring F q [y]/(h(y)) to the ring F q [x]/(f(x)). The method includes encrypting a message using said isomorphism from the ring F q [x]/(f(x)) to the ring F q [y]/(h(y)) and transmitting the encrypted message to a remote computer. The method also includes receiving one or more encrypted response messages from the remote computer based at least in part on the transmitted message and decrypting the one or more encrypted response messages.

PRIORITY

This application is being filed on 8 Jul. 2016, as a PCT Internationalpatent application, and claims priority to U.S. Provisional PatentApplication No. 62/190,121, entitled “FF-ENCRYPT: LEVELED HOMOMORPHICENCRYPTION VIA FINITE FIELD ISOMORPHISMS,” filed on Jul. 8, 2015, thedisclosure of which is hereby incorporated by reference herein in itsentirety.

GOVERNMENT LICENSE RIGHTS

The invention was made with government support under DMS1349908 awardedby National Science Foundation (NSF). The government has certain rightsin the invention.

BACKGROUND

Data encryption refers to the process of converting data into anotherformat that cannot easily be understood by unauthorized parties.Computer systems often use data encryption to protect user's privacy,for example, when communicating over a network. Typically, whenencrypted data is received, the data is decrypted so that the receivingparty can understand and process the data. Thus, an underlying premiseof many encryption technologies is that the receiving party must betrusted with the data.

It is with respect to these and other general considerations thatembodiments have been made. Also, although relatively specific problemshave been discussed, it should be understood that the embodiments shouldnot be limited to solving the specific problems identified in thebackground.

SUMMARY

In general terms, this disclosure is directed to systems and methods forhomomorphic encryption via finite ring isomorphisms. In one possibleconfiguration and by non-limiting example one or more messages areencrypted using an isomorphism from one ring to another ring.

One aspect is a system for homomorphic encryption via finite ringisomorphisms, comprising: at least one processor; and memory,operatively connected to the at least one processor and storinginstructions that, when executed by the at least one processor, causethe at least one processor to: select a polynomial f(x) of exact degreen with small coefficients in a ring R_(i)[x]; select a polynomial h(y)of exact degree n in a ring Fq[y]; construct an isomorphism from thering Fq[x]/(f(x)) to the ring Fq[y]/(h(y)); construct an inverseisomorphism from the ring Fq[y]/(h(y)) to the ring Fq[x]/(f(x)); encryptone or more messages using said isomorphism from the ring Fq[x]/(f(x))to the ring Fq[y]/(h(y)); transmit the encrypted one or more messages toa remote computer; receive one or more encrypted response messages fromthe remote computer based at least in part on the transmitted one ormore messages; and decrypt the one or more encrypted response messages.

Another aspect is a method for homomorphic encryption via finite ringisomorphisms, the method comprising: selecting a polynomial j(x) ofexact degree n with small coefficients in a ring F_(q)[x]; selecting apolynomial h(y) of exact degree n in a ring F_(q)[y]; constructing anisomorphism from the ring F_(q)[x]/(f(x)) to the ring F_(q)[y]/(h(y));

constructing an inverse isomorphism from the ring F_(q)[y]/(h(y)) to thering F_(q)[x]/(f(x)); encrypting one or more messages using saidisomorphism from the ring F_(q)[x]/(f(x)) to the ring F_(q)[y]/(h(y));transmitting the encrypted one or more messages to a remote computer;receiving one or more encrypted response messages from the remotecomputer based at least in part on the transmitted one or more messages;and decrypting the one or more encrypted response messages.

Yet another aspect is a computer-readable storage device having computerexecutable instructions stored thereon, which, when executed by acomputing system, provide instructions to perform a method forhomomorphic encryption via finite ring isomorphisms, the methodcomprising: selecting a polynomial f(x) of exact degree n with smallcoefficients in a ring F_(q)[x]; selecting a polynomial h(y) of exactdegree n in a ring F_(q)[y]; constructing an isomorphism from the ringF_(q)[x]/(f(x)) to the ring F_(q)[y]/(h(y)); constructing an inverseisomorphism from the ring F_(q)[y]/(h(y)) to the ring F_(q)[x]/(f(x));encrypting one or more messages using said isomorphism from the ringF_(q)[x]/(f(x)) to the ring F_(q)[y]/(h(y)); transmitting the encryptedone or more messages to a remote computer; receiving one or moreencrypted response messages from the remote computer based at least inpart on the transmitted one or more messages; and decrypting the one ormore encrypted response messages.

This summary is provided to introduce a selection of concepts in asimplified form that are further described below in the DetailedDescription. This summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended tobe used to limit the scope of the claimed subject matter.

BRIEF DESCRIPTION OF THE DRAWINGS

Non-limiting and non-exhaustive embodiments are described with referenceto the following Figures.

FIG. 1 is an example system for performing homomorphic encryption usingfinite ring isomorphisms.

FIG. 2 is an example method for performing calculations on data usinghomomorphic encryption with the system of FIG. 1.

FIG. 3 is an example method for encrypting data using the system of FIG.1.

FIG. 4 is an example method for encrypting data using the system of FIG.1.

FIG. 5 is an example method for generating an isomorphism and an inverseisomorphism using the system of FIG. 1.

FIG. 6 is an example method for key generation using the system of FIG.1.

FIG. 7 illustrates one example of a suitable operating environment inwhich one or more of the aspects of the disclosure may be implemented.

The attached Appendix provides additional examples to aid in theunderstanding of the present technology.

DETAILED DESCRIPTION

Various embodiments are described more fully below with reference to theaccompanying drawings, which form a part hereof, and which show specificexample embodiments. However, embodiments may be implemented in manydifferent forms and should not be construed as limited to theembodiments set forth herein; rather, these embodiments are provided sothat this disclosure will be thorough and complete, and will fullyconvey the scope of the embodiments to those skilled in the art.Embodiments may be practiced as methods, systems or devices.Accordingly, embodiments may take the form of a hardware implementation,an entirely software implementation or an implementation combiningsoftware and hardware aspects. The following detailed description is,therefore, not to be taken in a limiting sense. While differentembodiments are illustrated, one of skill in the art will appreciatethat different aspects from the different embodiments may be combinedwithout departing from the scope of this disclosure.

Generally, data encryption refers to the process of encoding plaintextdata (e.g., ordinary, readable text) into ciphertext (e.g., encrypted,non-readable data) to prevent unauthorized access to the data. Broadly,plaintext data is encrypted through the use of a private key anddecrypted using an associated public key, thereby allowing onlyauthorized users to access to the data.

Homomorphic encryption enables computation on encrypted data that isstored remotely, such as in the cloud. Homomorphic encryption is a typeof data encryption that involves the encryption of plaintext data usinga particular algebraic expression, wherein that particular algebraicoperation is equivalent to another algebraic operation performed on theciphertext data. Homomorphic encryption can be performed for both publickey (asymmetric) and private key (symmetric) encryption.

Homomorphic encryption allows calculations to be performed onciphertext. The present disclosure provides novel systems and methods ofa leveled homomorphic encryption scheme that is based on a secretisomorphism between finite rings, wherein the secret isomorphism isdefined as ϕ:R₁→R₂. The disclosed encryption scheme provides bothsymmetric (private key) and asymmetric (public key) encryption.

FIG. 1 is an example system 100 for performing homomorphic encryptionusing finite ring isomorphisms. The system 100 includes a computingdevice 102 and a remote computing device 104. The computing device 102encrypts data using a secret isomorphism 114 to generate an encryptedmessage, which the computing device 102 sends to the remote computingdevice 104. The remote computing device 104 receives the encryptedmessage, performs calculations on or using the encrypted message 120without ever decrypting the encrypted message, and sends the resultsback to the computing device 102 in another encrypted message. In thismanner, the computing device 102 can use the processing capabilities ofthe remote computing device 104 without revealing the data upon whichthe calculations are performed in a format that is understandable by theremote computing device.

The computing device 102 and the remote computing device 104 communicateover a network. The network may be any type of network that is capableof facilitating communications between the computing device and theremote computing device. Examples of such networks include, but are notlimited to, LANs, WANs, cellular networks, and/or the Internet.

The computing device 102 includes a processor and memory, and may be anytype of computing device. Non-limiting examples of the computing deviceinclude but are not limited to server computers, network appliances,network storage devices, desktop computers, laptop computers, tablets,smart phones, wearable devices, or other type of computing devices. Inthis example, the computing device 102 includes an application 106 and acryptography engine 108.

The application 106 is a computer program that performs one or morefunctions. The application may run autonomously or may be controlled bya user. In some embodiments, the application 106 is interactive andreceives one or more inputs from a user. The application 106 mayinteract with or generate confidential data 112. The confidential data112 may be any type of data that a user desires to keep private.Examples of the confidential data 112 include but are not limited tohealth data, genetic data, security data, and financial data.

In some embodiments, the system 100 operates to maintain theconfidentiality of the confidential data 112 by only transmitting theconfidential data 112 from the computing device 102 when it has beenencrypted to ciphertext by the cryptography engine. Further, thecomputing device 102 may be the only device that is able to decrypt theciphertext.

The cryptography engine 108 operates to encrypt unencrypted data such asthe confidential data 112 and decrypt encrypted data such as theencrypted message 122 received from the remote computing device 104. Insome embodiments, the cryptography engine 108 operates to generate asecret isomorphism 114 that is usable to encrypt data and a secretinverse isomorphism 116 that is usable to decrypt data encrypted usingthe secret isomorphism 114. The secret isomorphism 114 may be from aprivate-basis ring to a public-basis ring. The secret inverseisomorphism 116 may be from the public-basis ring to the private-basisring. In some embodiments, the secret isomorphism 114 and the secretinverse isomorphism 116 are stored on the computing device 102 and arenot shared with or made available to any other computing devices.

The computing device 102 includes a processor and memory, and may be anytype of computing device. Non-limiting examples of the computing deviceinclude but are not limited to server computers, network appliances,network storage devices, desktop computers, laptop computers, tablets,smart phones, wearable devices, or other type of computing devices. Inthis example, the remote computing device 104 includes a services engine118.

The services engine 118 performs computing services. For example, theservices engine 118 may perform computing services for the computingdevice 102 based on the encrypted message 120 received from thecomputing device 102. The services engine 118 performs the serviceswithout decrypting the encrypted message 120. In one example, theservices engine 118 may perform calculations on the encrypted message120 that are usable in performing genetic analysis.

In some embodiments, the cryptography engine 108 performs leveledhomomorphic encryption, which imposes a limit on the number ofcomputations that can be performed on the ciphertext before numericalerror overcomes the data in the ciphertext. In some embodiments, theservices engine 118 may therefore limit the number of computations itperforms based on the limit imposed by the cryptography engine 108.

FIG. 2 is an example method 200 for performing calculations on datausing homomorphic encryption. The method 200 may be employed to use theprocessing capacity of an external computing device such as a server toperform calculations on confidential data without allowing the externalcomputing device to decrypt the confidential data. As an example, themethod 200 may be executed by a component of an example system such asthe system 100. In examples, the method 200 may be executed on one ormore devices comprising at least one processor configured to store andexecute operations, programs, or instructions.

At operation 202, plaintext data is accessed. The plaintext data maycomprise confidential data, non-confidential data, or a combination ofboth. The plaintext data may be accessed from a storage device such as ahard drive or memory device on a computing device. The plaintext datamay be stored in one or more tables in a database or files stored in afile system. As another example, the plaintext data may be generated byan application running on the computing device. The plaintext data mayinclude various data received as user input from a user of the computingdevice as well. As used herein, plaintext data refers to data that isunencrypted. Plaintext data may be any type of data, including but notlimited to textual data, audio data, image data, video data, computerinstruction data, and any other types of data.

At operation 204, an isomorphism is accessed. The isomorphism maps froma private-basis ring to a public-basis ring. The isomorphism is usableto transform data represented in the private-basis ring to thepublic-basis ring. In some embodiments, the isomorphism is accessed froma storage location on the computing device or another secure location.Alternatively, the isomorphism is generated at the time the method 200is performed according to the methods described herein.

At operation 206, the plaintext data is encrypted using the isomorphismto generate an encrypted message. For example, the plaintext data may beencoded as polynomials in the private-basis ring, which are thenconverted to public-basis ring using the isomorphism.

At operation 208, the encrypted message is transmitted to a remotecomputing device. For example, the encrypted message may be transmittedover one or more wired or wireless networks.

Although the remote computer will receive the encrypted message, theremote computer will be unable to decrypt the encrypted message so theremote computer will not be able to understand the encrypted message.Similarly, any third-parties that intercept the encrypted message willalso be unable to decrypt or understand the message.

Even though the remote computer is unable decrypt and therefore haveaccess to the plaintext message, the remote computer may perform variouscomputations on the encrypted message to generate one or more encryptedresponse messages. In some embodiments, the computations performed bythe remote computer are limited to a particular level associated withthe homomorphic encryption scheme. The level specifies an amount ofcalculations that can be performed before numerical error overwhelms theresults of the calculations.

Because the remote computer performs computations on the encryptedmessage, there is no need to exchange decryption keys with the remotecomputer. Accordingly, a third party cannot intercept the decryptionkeys and later use the intercepted decryption keys to decrypt encryptedmessages. Instead, the decryption keys (e.g., the secret inverseisomorphism) are kept confidential to the computing device.

At operation 210, one or more encrypted response messages are receivedby the computing device. The encrypted response messages may be theresult of the remote computer performing various calculations on theencrypted message.

At operation 212, an inverse isomorphism is accessed. The inverseisomorphism inverses the isomorphism. In other words, the inverseisomorphism is from the public-basis ring to the private-basis ring.Like the isomorphism accessed in operation 204, the inverse isomorphismmay be accessed from a storage device on the computing device or may begenerated according to the methods described herein.

At operation 214, the encrypted response message is decrypted using theinverse isomorphism. For example, the encrypted response message may beconverted from polynomials in the public-basis ring to polynomials inthe private-basis ring using the inverse isomorphism. The polynomials inthe private-basis ring may then be converted to plaintext data.

Once the response message is decrypted to plaintext data, the plaintextdata can be stored or presented to a user. Alternatively, the plaintextdata can be used for further processing by the application.

The leveled homomorphic encryption scheme may be based on a secretisomorphism of rings. The isomorphism may be represented as: ϕ:F_(q)n→F_(q)n.

In some embodiments, two bases for F_(q) _(n) are chosen as anF_(q)-vector space. Specifically, a private F_(q)-basis

v₁, . . . , v_(n)ϵF_(q)n

and a public F_(q)-basis

w₁, . . . , w_(n)ϵF_(q)n

are chosen. To encrypt a plain text message, such as m=Σϵ_(i)v_(i) withϵ_(i) mod p, a random polynomial is chosen, such as r=Σδ_(i)v_(i) withsmall δ_(i).

Then, the ciphertext is generated as c=pr+m expressed in terms of thepublic F_(q)-basis (w). To decrypt a ciphertext, the ciphertext isexpressed in terms of the private F_(q)-basis (v), then thev-coordinates are lifted from F_(q) to

, and reduced by mod p. In some embodiments, p is a small prime numberthat is private (e.g., known only to the computing device performingencryption). The above-described cryptosystem is similar to a classicalHill cipher using a secret n-by-n matrix to define a lineartransformation F_(q) _(n) →F_(q) _(n) . However, additional conditionsare imposed on the cryptosystem as described herein.

F_(q) has a multiplication and multiplication of basis elements in thering F_(q) _(n) gives the formulas

${\nu_{i}\nu_{j}} = {{\sum\limits_{k = 1}^{n}{\alpha_{ijk}v_{k}\mspace{14mu} {and}\mspace{14mu} w_{i}w_{j}}} = {\sum\limits_{k = 1}^{n}{\beta_{ijk}w_{k}}}}$

for certain elements α_(ijk), β_(ijk)ϵF_(q). Accordingly, the followingconditions can be imposed:

-   -   1. β_(ijk) is public, which allows the public to perform ring        operations (e.g., addition and multiplication) using the public        F_(q)-basis (w);    -   2. α_(ijk) is secret and small, which allows for correct        decryption; and    -   3. multiplication in F_(q) _(n) and F_(y) _(n) are “compatible”        when expressed in terms of “small” linear combinations of        appropriately chosen bases, as is explained in greater detail        herein.

The n³-tuples (α_(ijk)) and (β_(ijk)) may be symmetric 3-tensors. Inparticular, the small secret a_(ijk) satisfies compatibility relationscoming from the commutative and associative laws

v _(i) v _(j) =v _(j) v _(i) and (v _(i) v _(j))v _(i) =v _(i)(v _(j) v_(t)).

In some embodiments, the private F_(q)-basis and public F_(q)-basis areconstructed as described herein. To avoid confusion, the notationF_(q)[x]/(f(x)) and F_(q)[y]/(h(y)) for certain irreducible polynomialsf(x) and h(y) of degree n such that f(x) has small coefficients are usedto refer to two copies of the ring F_(q). The secret basis is 1, x, . .. , x^(n−1) with secret multiplication rules determined by f(x), and thepublic basis is 1, y, . . . . , y^(n−1) with public multiplication rulesdetermined by h(y). The formulas that express powers of x and y in termsof each other are also secret. Table 1 below provides some notation thatis used herein.

TABLE 1 public q prime (or prime power) public n dimension (degree)parameter private ƒ(x) irreducible monic polynomial of degree n inF_(q)[x] with small coefficients private ϕ(y) polynomial of degree lessthan n in F_(q)[y] private h(y) irreducible manic polynomial of degree nin F_(q)[y] with arbitrary coefficients

In some embodiments, n is chosen as a prime so that there are nointermediate fields between F_(q) and F_(q) _(n) . Additionally, in someembodiments, f(x) is chosen so that it is irreducible in F_(p)[x] aswell as F_(q)[x].

A method for finding polynomialsi(x) and h(y) and an explicitisomorphism,

${\frac{F_{q}\lbrack x\rbrack}{\left( {f(x)} \right)}\frac{F_{q}\lbrack y\rbrack}{\left( {h(y)} \right)}},$

is described below. Polynomials f, ϕ, and h are selected to satisfy

h(y)|f(ϕ(y)).

Methods for finding such a triple of polynomials are discussed herein.Since f and h are irreducible over F_(q), both of the quotientsF_(q)[x]/(f(x)) and F_(q)[y]/(h(y)) are rings with q^(n) elements.Further, the polynomial ϕ defines an isomorphism of rings via

$\left. \frac{F_{q}\lbrack x\rbrack}{\left( {f(x)} \right)}\rightarrow\frac{F_{q}\lbrack y\rbrack}{\left( {h(y)} \right)} \right.$m(x)mod  f(x) ↦ m(φ(y))mod  h(y).

The polynomial ψ defines an inverse isomorphism to the isomorphismdefined by the polynomial ϕ. Specifically, the polynomial is selected asa polynomial of degree less than n satisfying

ϕ(ψ(x))≡x(mod f((x)).

Then ψ gives an inverse to the isomorphism defined by polynomial ϕ, thatis, the map

$\left. \frac{F_{q}\lbrack y\rbrack}{\left( {h(y)} \right)}\mapsto\frac{F_{q}\lbrack x\rbrack}{\left( {f(x)} \right)} \right.$c(y)mod  h(y) ↦ c(ψ(x))mod  f(x)

has the property that

ϕ(ψ(x))≡x(mod f((x)) and ψ(99 (y))≡y(mod h(y)).

A method is described herein to find ψ from ϕ and f via linear algebra.

FIG. 3 is an example method 300 for encrypting data. The method 300 maybe employed to perform homomorphic encryption of plaintext data. As anexample, the method 300 may be executed by a component of an examplesystem such as the system 100. In examples, the method 300 may beexecuted on one or more devices comprising at least one processorconfigured to store and execute operations, programs, or instructions.

At operation 302, the plaintext is represented a polynomial m(x)ϵ

[x] of degree less than n with small coefficients.

At operation 304, a random polynomial r(x)ϵF_(q)[x] of degree less thann with small coefficients is chosen.

At operation 306, a ciphertext c(y) is computed. For example, theciphertext may be computed as

c(y)=pr(ϕ(y))+m(ϕ(y))mod h(y)ϵFq[y]/h(y).

FIG. 4 is an example method 400 for decrypting data. The method 400 maybe employed to perform homomorphic decryption of plaintext data. As anexample, the method 400 may be executed by a component of an examplesystem such as the system 100. In examples, the method 400 may beexecuted on one or more devices comprising at least one processorconfigured to store and execute operations, programs, or instructions.

Decryption is performed on a ciphertext such as c(y), which may begenerated according to the method illustrated and described with respectto FIG. 4 or by performing calculations on a ciphertext generatedaccordingly.

At operation 402, a polynomial a(x) is computed from the ciphertext. Thepolynomial a(x) may be computed based on the inverse isomorphism. Forexample a(x) may be computed as

a(x)=c(ψ(x)) mod f(x)ϵFq[x]/f(x)

At operation 404, the polynomial a(x) is lifted to a polynomial A(x).The polynomial A(x) may be in

[x] with degree less than n and having the smallest possiblecoefficients.

At operation 406, the plaintext is recovered by calculating

A(x) mod p=ϵ(

/p

)[x].

This method 400 works because:

$\begin{matrix}{{a(x)} \equiv {{c\left( {\psi (x)} \right)}{mod}\ {f(x)}}} \\{\equiv {{{pr}\left( {\varphi \left( {\psi (x)} \right)} \right)} + {{m\left( {\varphi \left( {\psi (x)} \right)} \right)}\left( {{mod}\mspace{14mu} {f(x)}} \right)}}} \\{\equiv {{p{r(x)}} + {{m(x)}\left( {{mod}\mspace{14mu} {f(x)}} \right)}}}\end{matrix}.$

Then since r and in have small coefficients, A(x) is exactly equal topr(x)+m(x), so A(x) mod p is equal to m(x) mod p.

FIG. 5 is an example method 500 for generating an isomorphism and aninverse isomorphism. The method 500 may be employed to performhomomorphic encryption. As an example, the method 500 may be executed bya component of an example system such as the system 100. In examples,the method 500 may be executed on one or more devices comprising atleast one processor configured to store and execute operations,programs, or instructions.

At operation 502, a polynomial f(x) of exact degree n with smallcoefficients in a ring F_(q)[x] is selected. In some embodiments, theselected polynomial f(x) is irreducible and monic. For example, thepolynomial f(x) may be selected randomly.

At operation 504, a polynomial h(y) of exact degree n with smallcoefficients in a ring F_(q)[y] is selected. In some embodiments, theselected polynomial h(y) is irreducible and monk. Like the polynomialf(x), the polynomial h(y) may be selected randomly.

At operation 506, an isomorphism from the ring F_(q)[x] (f(x)) to thering F_(q)[y]/(h(y)) is constructed. In some embodiments, theisomorphism is constructed by determining a root ϕ(y) of the polynomialf(x) in the ring F_(q)[y]/(h(y)). The root ϕ(y) of the polynomial f(x)in the ring F_(q)[y]/(h(y)) may be found using a root-finding algorithm.

At operation 508, an inverse isomorphism from the ring F_(q)[y]/(h(y))to the ring F_(q)[x]/(f(x)) is constructed. In some embodiments, theinverse isomorphism is constructed by determining an inverse root ψ(x)of the polynomial h(y) in the ring F_(q)[x]/(h(x)). The inverseisomorphism may be constructed from the isomorphism using linearalgebra.

The described encryption engine has leveled homomorphic properties. Forexample, if m₁(x), . , m_(x)(x) are plaintexts and c₁(y), . . . ,c_(K)(y) are associated ciphertexts and q is chosen sufficiently large,then decryption of the product c_(i)(y), . . . , c_(K)(y) gives theexact value of

$\prod\limits_{i = 1}^{K}{\left( {{p{r_{i}(x)}} + {m_{i}(x)}} \right){in}{\frac{{\mathbb{Z}}\lbrack x\rbrack}{f(x)}.}}$

Then, reduction modulo p yields

m₁(x). . . m_(K)(x) in F_(p)[x]/(f(x)).

Addition of ciphertexts works similarly. But note that computation ofplaintexts takes place in the ring F_(p)[x]/f(x).

A method to construct the polynomials f, h, ϕ, and ψ is described belowwith respect to FIG. 6. The four polynomials f, h, ϕ, and ψ must satisfythe following conditions:

-   -   f(x)ϵF_(q)[x] is of exact degree n with small coefficients;    -   h(y)ϵF_(q)[y] is of exact degree n with random coefficients;    -   ϕ(y)ϵF_(q)[y] and ψ(y)ϵF_(q)[y] have degree less than n;    -   h(y)|f(ϕ(y)); and

ϕ(ψ(x))≡x(mod f(x)).

In some embodiment, one or both of f(x) and h(y) are irreducible manicpolynomials.

FIG. 6 is an example method 600 for key generation. The method 600 maybe employed to perform homomorphic encryption. As an example, the method600 may be executed by a component of an example system such as thesystem 100. In examples, the method 600 may be executed on one or moredevices comprising at least one processor configured to store andexecute operations, programs, or instructions.

At operation 602, random small degree n polynomials f(x)ϵF_(q)[x] areselected until one is found that is irreducible. The polynomialsf(x)ϵF_(q)[x] may be of exact degree n. Additionally, in someembodiments, the selected polynomials f(x)ϵF_(q)[x] are monic.

There are q^(n) monic degree n polynomials in F_(q)[x], and theproportion of these polynomials that are irreducible is

$\frac{1}{n}{\sum\limits_{d|n}{{\mu \left( \frac{n}{d} \right)}{\frac{1}{q^{n - d}}.}}}$

This is more-or-less 1/n+O(1/q^(n/2)) and is the function field versionof the classical prime number theorem. Classical primality tests forintegers such as Miller-Rabin can be adapted to the function fieldsetting and used to check (at least with very high probability) whethera given polynomial is irreducible. The probability of a given polynomialbeing irreducible is roughly 1/n.

At operation 604, random degree n polynomials h(y)ϵF_(q)[y] are selecteduntil one is found that is irreducible. The polynomials h(y)ϵF_(q)[y]may be of exact degree n. Additionally, in some embodiments, theselected polynomials h(y)ϵF_(q)[y] are monic. Testing whether h(y) isirreducible can be performed similarly to testing whether f(x) isirreducible as described with respect to operation 602.

At operation 606, a root of the polynomial f(x) in the fieldF_(q)[y]/(h(y))≈F_(q) _(n) is found. This root is then lifted to apolynomial/(y)ϵF_(q)[y] of degree less than n. A polynomial timeroot-finding algorithm such as the routine polrootsff in Pari-GPavailable from the PARI group, Bordeaux, France can be used. Otherroot-finding algorithms may be used as well. Because the polynomial f(x)is irreducible of degree n, any one of its roots generates the fieldF_(q) ^(n). Since any two fields with qn elements are isomorphic, f(x)must have a root in the ring F_(q)[y]/(h(y)). Further, since F_(q)^(n)/F_(q) is Galois, any irreducible polynomial with one root mustsplit completely, so f(x) has n distinct roots in the ringF_(q)[y]/(h(y)). Some embodiments take ϕ(y) mod h(x) as any one of theseroots.

At operation 608, a unique polynomial ψ(x)ϵF_(q)[x] of degree less thann is constructed that satisfiest ψ(ϕ(x))≡y (mod h(y)). In someembodiments, the polynomial ψ(x) is found by finding the roots of h(y)in the ring F_(q)[y]/(h(y)) in a manner similar to that described inoperation 606. Then, the root that satisfies ψ(ϕ)(x))≡y (mod h(y)) isselected. Alternatively, in some embodiments, a root of ϕ(y)−x iscalculated in the ring F_(q)[x]/(f(x)).

As another alternative, linear algebra can be used to find the uniquepolynomial ψ(x). Because the map defined by x

ϕ(y) is a field isomorphism, there is an inverse isomorphism determinedby the image of y. Accordingly, the inverse isomorphism can be writtenas

$\left. y\mapsto{\psi (x)} \right. = {\sum\limits_{i = 0}^{n - 1}{c_{i}{x^{i}.}}}$

The polynomial ψ(x) is then found by determining the c_(i) coefficients.Since

y

ψ(x)

ψ(ϕ(y))

gives an automorphism of the ring F_(q)[y]/h(y),

ψ(ϕ(y))≡y (mod h(y)).

Hence, it suffices to determine the (unique) polynomial ψ(x) of degreeless than n satisfying the above equation, which when combined with theautomorphism can be written as

${\sum\limits_{i = 0}^{n - 1}{c_{i}{\varphi (y)}^{i}}} \equiv {{y\left( {{mod}\mspace{14mu} {h(y)}} \right)}.}$

Each power ϕ(y)^(i) is written modulo h(y) as polynomial of degree lessthan n. In other words, the known values of ϕ(y) and h(y) are used towrite

${\varphi (y)}^{i} = {{\sum\limits_{j = 0}^{n - 1}{a_{ij}{y^{j}\left( {{mod}\mspace{14mu} {h(y)}} \right)}\mspace{14mu} {for}\mspace{14mu} 0}} \leq i \leq {n.}}$

Substituting this into ψ(ϕ)(y)) yields

$\begin{matrix}{{\psi \left( {\varphi (y)} \right)} = {\sum\limits_{i = 0}^{n - 1}{c_{i}{\varphi (y)}^{i}}}} \\{\equiv {\sum\limits_{i = 0}^{n - 1}{c_{i}{\sum\limits_{j = 0}^{n - 1}{a_{ij}{y^{j}\left( {{mod}\mspace{14mu} {h(y)}} \right)}}}}}} \\{\equiv {\sum\limits_{i = 0}^{n - 1}{{c_{i}\left( {\sum\limits_{j = 0}^{n - 1}{a_{ij}y^{j}}} \right)}\left( {{mod}\mspace{14mu} {h(y)}} \right)}}}\end{matrix}.$

Hence ψ will satisfy ψ(ϕ(y)) =y (mod h(y)) if c₀, . . . , c_(n−1) arechosen to satisfy

${\sum\limits_{j = 0}^{n - 1}{a_{ij}c_{i}}} = \left\{ \begin{matrix}1 & {if} & {{j = 1},} \\0 & {if} & {j \neq 1.}\end{matrix} \right.$

This is a system of n equations for the n variables c₀, . . . , c_(n−1)over the ring F_(q) and can be solved using standard techniques to findthe polynomial ψ(y) that will satisfy ψ(ϕ(y)) y (mod h(y)).

In some embodiments, using linear algebra to find the unique polynomialψ(x) includes computing one or more powers of ϕ(y)^(i) (mod h(y)) forvalues of i between 0 and n in the field F_(q)[x], wherein each of theone or more powers includes a coefficient value; placing eachcoefficient value into a coefficient matrix; computing an inverse matrixusing the coefficient matrix; and computing the coefficients for aninverse polynomial, wherein the coefficients are based on the inversematrix.

In some embodiments, the polynomial f(x) is secret and the polynomialh(y) is public. Because the polynomials f(x) and h(y) are chosenindependently, knowledge of the polynomial h(y) reveals no informationabout f(x). A hypothetical attacker would only begin to acquireinformation about f(x) when given a ciphertext. Further, the fact thatthere are no security issues in the of h(y) other than that it beirreducible in F_(q)[y] allows for choosing h(y) to simplify fieldoperation in the ring F_(q)[y]/(h(y)). For example, h(y) may be atrinomial.

The encryption system described herein may be used for either symmetric(private key) leveled homomorphic cryptosystems or asymmetric (publickey) cryptosystems. Initially, a list of encryptions is published. Forexample,

e_(0,1), e_(0,2), . . . , e_(0,1) are encryptions of 1,

e_(1,1), e_(1,2), . . . , e_(1,1), are encryptions of x,

e_(n−1,1), e_(n−1,2), . . . , e_(n−1,1) are encryptions of x^(n−1).

Then a mod p plaintext m(x) is encrypted as

${c = {\sum\limits_{j = 1}^{l}{\sum\limits_{i = 0}^{n - 1}{\left( {{pr}_{ij} + m_{ij}} \right)e_{ij}\mspace{14mu} \left( {{mod}\mspace{14mu} q} \right)}}}},$

where the r_(ij) are random trinary values and where for each i, a j(i)in [1,l] is randomly chosen and m_(ij) is set as

$m_{ij} = \left\{ \begin{matrix}m_{ij} & {{{{if}\mspace{14mu} j} = {j(i)}},} \\0 & {{{if}\mspace{14mu} j} \neq {{j(i)}.}}\end{matrix} \right.$

Then c is an encryption of in. For a given choice of {r_(ij)} and in,there are l^(n) possible encryptions depending on the choice of j(i). Soassuming that there is a collision attack, the quantity l^(n/2) shouldbe chosen larger than 2^(K) for the desired bit security K. The publickey has size roughly nl*log₂(q) bits. In some embodiments, the publickey size is further reduced by publishing only the l encryptions of xsince one can multiply i of those chosen at random with replacement toget l^(i) encryptions of x^(i).

In alternate embodiment, the parameter p is a polynomial instead of asmall prime number, as explained herein. A product of t plaintexts hasthe form

$\prod\limits_{i = 1}^{t}{\left( {{p{r_{i}(x)}} + {m_{i}(x)}} \right){mod}\mspace{14mu} {{f(x)}.}}$

In order for decryption to be successful, the coefficients of thisreduced product must be in the range −½q to ½q. In some situations toreduce the size of the coefficients of the above-described product of tplaintexts (prior to the reduction modulo f(x)), a polynomial p(x) isused for the parameter p. There are some potential tradeoffs to thisapproach, however. First, if p(x) is non-constant, then the degree ofr(x) is smaller, which means there is less combinatorial security in thechoice of r. Second, decryption ultimately reveals the value of m(x) inthe ring

[x]/(p(x), f(x)). So, for example, if p(x)=x−2, then one obtains thevalue of m(2) mod f(2), and thus all computations are being done in thering

/f(2)

. In this example, some embodiments chose an f(x) so that f(2) is prime.More generally, some embodiments choose an f(x) so that the ring

[x]/(p(x), f(x)) is a field. In some embodiments, decrypting theciphertext will be based in part on an image of the encrypted message inthe ring F_(q)[x]/(f(x), p(x)), the quotient of the polynomial ringF_(q)[x] by the ideal generated by the polynomials f(x) and p(x).

Having described various example methods to perform homomorphicencryption, the disclosure will now describe systems that may beemployed to perform the methods disclosed herein. FIG. 6 and theadditional discussion in the present disclosure are intended to providea brief general description of a suitable computing environment in whichthe disclosed embodiments and/or portions thereof may be implemented.Although not required, the embodiments described herein may beimplemented as computer-executable instructions, such as by programmodules, being executed by a computer, such as a client workstation or aserver, including a server operating in a cloud environment. Generally,program modules include routines, programs, objects, components, datastructures and the like that perform particular tasks or implementparticular abstract data types. Moreover, it should be appreciated thatthe disclosed embodiments and/or portions thereof may be practiced withother computer system configurations, including hand-held devices,multi-processor systems, microprocessor-based or programmable consumerelectronics, network PCs, minicomputers, mainframe computers and thelike. The disclosed embodiments may also be practiced in distributedcomputing environments where tasks are performed by remote processingdevices that are linked through a communications network. In adistributed computing environment, program modules may be located inboth local and remote memory storage devices.

FIG. 7 illustrates one example of a suitable operating environment 700in which one or more of the present embodiments may be implemented. Thisis only one example of a suitable operating environment and is notintended to suggest any limitation as to the scope of use orfunctionality. Other well-known computing systems, environments, and/orconfigurations that may be suitable for use include, but are not limitedto, personal computers, server computers, hand-held or laptop devices,multiprocessor systems, microprocessor-based systems, programmableconsumer electronics such as smartphones, network PCs, minicomputers,mainframe computers, distributed computing environments that include anyof the above systems or devices, and the like.

In its most basic configuration, operating environment 700 typicallyincludes at least one processing unit(s) 702 and memory 704. Dependingon the exact configuration and type of computing device, memory 704(instructions to perform homomorphic encryption) may be volatile (suchas RAM), non-volatile (such as ROM, flash memory, etc.), or somecombination of the two. Memory 704 may store computer instructionsrelated to performing the homomorphic encryption and decryptionembodiments disclosed herein, may store raw data, and/or may storecompressed and encrypted data. Memory 704 may also storecomputer-executable instructions that may be executed by the processingunit(s) 702 to perform the methods disclosed herein.

This most basic configuration is illustrated in FIG. 6 by dashed line706. Further, environment 700 may also include storage devices(removable, 708, and/or non- removable, 710) including, but not limitedto, magnetic or optical disks or tape. Similarly, environment 700 mayalso have input device(s) 714 such as keyboard, mouse, pen, voice input,etc. and/or output device(s) 716 such as a display, speakers, printer,etc. Also included in the environment may be one or more communicationconnections, 712, such as an Ethernet adaptor, a modem, a Bluetoothadaptor, WiFi adaptor, etc.

Operating environment 700 typically includes at least some form ofcomputer readable media. Computer readable media can be any availablemedia that can be accessed by processing unit(s) 702 or other devicescomprising the operating environment. By way of example, and notlimitation, computer readable media may comprise computer storage mediaand communication media. Computer storage media includes volatile andnonvolatile, removable and non-removable media implemented in any methodor technology for storage of information such as computer readableinstructions, data structures, program modules or other data. Computerstorage media includes, RAM, ROM, EEPROM, flash memory or other memorytechnology, CD-ROM, digital versatile disks (DVD) or other opticalstorage, magnetic cassettes, magnetic tape, magnetic disk storage orother magnetic storage devices, or any other tangible medium which canbe used to store the desired information. Communication media embodiescomputer readable instructions, data structures, program modules, orother data in a modulated data signal such as a carrier wave or othertransport mechanism and includes any information delivery media. Theterm “modulated data signal” means a signal that has one or more of itscharacteristics set or changed in such a manner as to encode informationin the signal. By way of example, and not limitation, communicationmedia includes wired media such as a wired network or direct-wiredconnection, and wireless media such as acoustic, RF, infrared and otherwireless media. Combinations of the any of the above should also beincluded within the scope of computer readable media.

The operating environment 700 may be a single computer operating in anetworked environment using logical connections to one or more remotecomputers. The remote computer may be a personal computer, a server, arouter, a network PC, a peer device or other common network node, andtypically includes many or all of the elements described above as wellas others not so mentioned. The logical connections may include anymethod supported by available communications media. Such networkingenvironments are commonplace in offices, enterprise-wide computernetworks, intranets and the Internet.

The aspects of the disclosure described herein may be employed usingsoftware, hardware, or a combination of software and hardware toimplement and perform the systems and methods disclosed herein. Althoughspecific devices have been recited throughout the disclosure asperforming specific functions, one of skill in the art will appreciatethat these devices are provided for illustrative purposes, and otherdevices can be employed to perform the functionality disclosed hereinwithout departing from the scope of the disclosure.

This disclosure described some embodiments of the present technologywith reference to the accompanying drawings, in which only some of thepossible embodiments were shown. Other aspects can, however, be embodiedin many different forms and should not be construed as limited to theembodiments set forth herein. Rather, these embodiments were provided sothat this disclosure was thorough and complete and fully conveyed thescope of the possible embodiments to those skilled in the art.

Although specific embodiments were described herein, the scope of thetechnology is not limited to those specific embodiments. One skilled inthe art will recognize other embodiments or improvements that are withinthe scope and spirit of the present technology. Therefore, the specificstructure, acts, or media are disclosed only as illustrativeembodiments. The scope of the technology is defined by the followingclaims and any equivalents therein.

A Numerical Example: A Single Encryption

In this section we do an example illustrating key creation, encryption,and decryption with very small parameters that do not allow homomorphicdecryption. We take

q=11, n=7, p=3.

We choose random small monic polynomials of degree n in

_(q)[x] until finding one that is irreducible,³

f(x)=x ⁷ −x ⁶ −x ⁴ +x ³+1.

We next ch000se random small polynomials of degree n in

_(q){x} (but no longer with small coefficients) until finding one thatis irreducible:

h(y)=y ⁷ +y ⁶ −y ⁵+5y ⁴+5y ³−4y ²+3y−3.

We use a root-finding algorithm to find a root ϕ(y) of f(x) in the field

_(y)[y]/(h(y)):

ϕ(y)=y ⁶+4y ⁵+2y ⁴3y ³ +y ²−4y+5.

We use the linear algebra method to construct the inverse map ψ(x). Thefirst step is to compute the powers of ϕ(y)^(i) mod h(y) for 0≤i<n,

ϕ(y)⁰ mod h(y)=1

ϕ(y)¹ mod h(y)=−y ⁶+4y ⁵+2y ⁴−3y ³ +y ²−4y+5

ϕ(y)² mod h(y)=5y ⁶−2y ⁵−2y ⁴−2y ³+4y ²+2y+2

ϕ(y)³ mod h(y)=5y ⁶−2y ⁵−5y ⁴+2y ³−4y ² −y+2

ϕ(y)⁴ mod h(y)=3y ⁶−4y ⁵+3y ³−3y ² −y−3

ϕ(y)⁵ mod h(y)=4y ⁶+4y ⁵−5y ⁴−3y ³ +y ²−5y−2

ϕ(y)⁶ mod h(y)=y⁶−2y ⁵−4y ⁴−2y ³−2y ²−4y−1

and put the coefficients into a matrix

$A = {\begin{pmatrix}1 & 0 & 0 & 0 & 0 & 0 & 0 \\5 & {- 4} & 1 & {- 3} & 2 & 4 & {- 1} \\2 & 2 & 4 & {- 2} & {- 2} & {- 2} & 5 \\2 & {- 1} & {- 4} & 2 & {- 5} & {- 2} & 5 \\{- 3} & {- 1} & {- 3} & 3 & 0 & {- 4} & 3 \\{- 2} & {- 5} & 1 & {- 3} & {- 5} & 4 & 4 \\{- 1} & {- 4} & {- 2} & {- 2} & {- 4} & {- 2} & 1\end{pmatrix}.}$

(Note that all of these computations are being done in

_(q).) Next we compute the inverse matrix

${A^{- 1}{mod}\; q} = \begin{pmatrix}1 & 0 & 0 & 0 & 0 & 0 & 0 \\{- 3} & 4 & 3 & 0 & {- 2} & 5 & {- 3} \\5 & 4 & 4 & 4 & {- 3} & 0 & {- 5} \\4 & 4 & 0 & 4 & 3 & {- 2} & 5 \\{- 5} & {- 2} & 5 & {- 2} & 3 & {- 4} & 1 \\{- 1} & {- 1} & {- 3} & {- 1} & 1 & 0 & 5 \\{- 4} & 0 & 1 & {- 5} & {- 5} & 0 & 3\end{pmatrix}$

and use it to compute the coefficients

$\begin{matrix}{\left( {c_{0},\ldots \mspace{14mu},c_{n - 1}} \right) = {\left( {0,1,0,\ldots \mspace{14mu},0} \right)A^{- 1}{mod}\; q}} \\{= \left( {{- 3},5,{- 2},0,3,4,{- 3}} \right)}\end{matrix}$

for the inverse polynomial

ψ(x)=−3x ⁶+5x ⁵−2x ⁴+3x ²+4x−3.

A quick check shows that

ψ(ϕ(y) mod h(y)=y,

ϕ(ψ(x) mod f(x)=x,

We are now ready to encrypt a message. We take plaintext m and randompolynomial r to be

m(x)=−x ⁶ +x ⁵ +x ⁴ −x,

r(x)=x ⁵ +x ⁴ −x ² −x,

Then the ciphertext is

$\begin{matrix}{{c(y)} = {{{pr}\left( {\varphi (y)} \right)} + {{m\left( {\varphi (y)} \right)}\; {mod}\; {h(y)}}}} \\{= {{5y^{6}} + {3y^{5}} + {4y^{4}} - {2y^{3}} + y - 1.}}\end{matrix}$

To decrypt we compute

$\begin{matrix}{{a(x)} = {{c\left( {\psi (x)} \right)}\; {mod}\; {f(x)}}} \\{{= {{- x^{6}} + {4x^{5}} + {4x^{4}} - {3x^{2}} - {4x\mspace{14mu} {in}\mspace{14mu} {_{q}\lbrack x\rbrack}}}},} \\{{\equiv {{- x^{6}} + x^{5} + x^{4} - {x\left( {{mod}\; 3} \right)}}} = {{m(x)}.\sqrt{}}}\end{matrix}$

A Numerical Example: Homomorphic Properties

In this section we do an example with larger parameters and illustratehomomorphic decryption of a product of two ciphertexts. We note that theparameters are far too small to be combinatorially secure. We take

q=541, n=7, p=3.

We find polynomials f h, ϕ, ψ as in Section 5, omitting the details ofthe computation:

f(x)=x ⁷ −x ⁵ +x ³ +x−1

h(y)=y ⁷−177y ⁶−137y ⁵+172y ⁴+84y ³−148y ²−160y+15

ϕ(y)=−155y ⁶+26y ⁵+123y ⁴−118y ³+41y ²+84y−162

ψ(x)=8x ⁶−91x ⁵+258x ⁴+137x ³+266x ²−201x−143

We next encrypt two plaintexts, keeping in mind that all computationsare being done modulo 541:

m₁(x) = x⁵ − x³ − x² + x r₁(x) = −x³ + x² + x − 1 $\begin{matrix}{{c_{1}(y)} = {{{pr}_{1}\left( {\varphi (y)} \right)} + {{m_{1}\left( {\varphi (y)} \right)}{mod}\; {h(y)}}}} \\{= {{144\; y^{6}} + {121y^{5}} - {94y^{4}} + {81y^{3}} + {203y^{2}} - {198y} + 117}}\end{matrix}$ m₂(x) = x⁶ + x⁵ − x⁴ − 1 r₂(x) = −x⁶ + x⁴ + x² − x$\begin{matrix}{{c_{2}(y)} = {{- {{pr}_{2}\left( {\varphi (y)} \right)}} + {{m_{2}\left( {\varphi (y)} \right)}\; {mod}\; {h(y)}}}} \\{= {{{- 73}y^{6}} + {85y^{5}} + {241y^{4}} - {34y^{3}} - {152y^{2}} + {168y} + 263}}\end{matrix}$

We note for future reference that the product of the plaintexts is

$\begin{matrix}{{m_{3}(x)} = {{{m_{1}(x)} \cdot {m_{2}(x)}}\; {mod}\; \left( {{f(x)},p} \right)}} \\{= {x^{4} + x^{3} + x^{2} - x - 1.}}\end{matrix}$

We next multiply the ciphtertexts,

$\begin{matrix}{{c_{3}(y)} = {{{c_{1}(y)} \cdot {c_{2}(y)}}\; {{mod}\left( {{h(y)},\ q} \right)}}} \\{= {{{- 21}y^{6}} + {64y^{5}} - {65y^{4}} - {136y^{3}} + {223y^{2}} + {211y} + 28.}}\end{matrix}$

When we decrypt the product of the ciphertexts, we obtain the product ofthe plaintexts:

$\begin{matrix}{{a(x)} = {{c_{3}\left( {\psi (x)} \right)}{{mod}\left( {{f(x)},\ q} \right)}}} \\{= {{3x^{6}} - {15x^{5}} + {16x^{4}} + {4x^{3}} - {8x^{2}} - x + 2}} \\{= {x^{4} + x^{3} + x^{2} - x - {1\mspace{14mu} {{mod}\ \left( {{f(x)},\ p} \right)}}}} \\{= {{m_{3}(x)}\mspace{14mu} {{mod}\ \left( {{f(x)},p} \right)}}}\end{matrix}$

We note that the reason that homomorphic decryption works is because theproduct

$\begin{matrix}{{\left( {{p\; {r_{1}(x)}} + {m_{1}(x)}} \right) \cdot \left( {{{pr}_{2}(x)}{m_{2}(x)}} \right)} = {{{- 2}x^{11}} + x^{10} + {10x^{9}} - {8x^{8}} - {11x^{7}} + {11x^{6}} -}} \\{{{8x^{5}} + {12x^{4}} + {10x^{3}} - {23x^{2}} + {5x} + 3}} \\{\equiv {{3x^{6}} - {15x^{5}} + {16x^{4}} + {4x^{3}} - {8x^{2}} -}} \\{{x + {2\ \left( {mod\ {f(x)}} \right)}}}\end{matrix}$

has coefficients that are smaller than └q/2┘=270.

To further illustrate this last remark, we do an example in whichhomomorphic decryption fails because p is too large compared to q. Wetake

q=541, n=7, p=13.

We use the polynomials

f(x)=x ⁷ +x ⁶ −x ⁴ +x−1

h(y)=y ⁷+101y ⁶−81y ⁵−69y ⁴−127y ³−168y ²−224y−223

ϕ(y)=89y ⁶−168y ⁵+245y ⁴+186y ³+130y ²−35y+86

ψ(x)=3x ⁶+261x ⁵−150x ⁴+87x ³+62x ²+16x+201

We choose plaintexts and compute ciphertexts as usual,

$\begin{matrix}{{m_{1}(x)} = {{- x^{5}} - x^{4} + x^{3} + x}} \\{{r_{1}(x)} = {x^{6} - x^{5} + x^{4} - x^{2}}} \\{{c_{1}(y)} = {{{pr}_{1}\left( {\varphi (y)} \right)} + {{m_{1}\left( {\varphi (y)} \right)}{mod}\ {h(y)}}}} \\{= {{148\; y^{6}} + {214y^{5}} + {266y^{4}} - {172y^{3}} + {70y^{2}} - {132y} + 119}} \\{{m_{2}(x)} = {{- x^{4}} + x^{3} - x^{2} + x}} \\{{r_{2}(x)} = {x^{4} + x^{3} - x^{2} - x}} \\{{c_{2}(y)} = {{{pr}_{2}\left( {\varphi (y)} \right)} + {{m_{2}\left( {\varphi (y)} \right)}mod\ {h(y)}}}} \\{= {{{- 157}y^{6}} + {250y^{5}} + {190y^{4}} - y^{3} - {86y^{2}} + {98y} + 66}}\end{matrix}$

The product of the plaintexts is

$\begin{matrix}{{m_{3}(x)} = {{{m_{1}(x)} \cdot {m_{2}(x)}}{{mod}\left( {{f(x)},\ p} \right)}}} \\{{= {{2x^{6}} - {4x^{5}} + {2x^{4}} - {2x^{3}} + {3x^{2}} - x}},}\end{matrix}$

but we observe that the product

$\begin{matrix}{{\left( {{p{r_{1}(x)}} + {m_{1}(x)}} \right) \cdot \left( {{{pr}_{2}(x)}{m_{2}(x)}} \right)} = {{156x^{10}} + {14x^{9}} - {234x^{8}} + {220x^{7}} - {142x^{6}} -}} \\{{{328x^{5}} + {184x^{4}} + {142x^{3}} - {12x^{2}}}} \\{\equiv {{{- 752}x^{6}} - {420x^{5}} + {496x^{4}} + {440x^{3}} -}} \\{{{62x^{2}} - {560x} + {468\mspace{14mu} \left( {{mod}\mspace{11mu} {f(x)}} \right)}}}\end{matrix}$

has coefficients whose magnitude is larger than └q/2┘=270. This meansthat decryption of c₃ will probably not be equal to m₁·m₂. And indeed wefind that

$\begin{matrix}{{c_{3}(y)} = {{{c_{1}(y)} \cdot {c_{2}(y)}}{{{mod}h}(y)}}} \\{{= {{38y^{6}} - {179y^{5}} + {137y^{4}} - {191y^{3}} - {164y^{2}} - {129y} - {219}}},} \\{{a(x)} = {{c_{3}\left( {\psi (x)} \right)}{{{mod}f}(x)}}} \\{= {{{- 211}x^{6}} + {121x^{5}} - {45x^{4}} - {101x^{3}} - {62x^{2}} - {19x} - 73}} \\{\equiv {{{- 3}x^{6}} + {4x^{5}} - {6x^{4}} + {3x^{3}} + {3x^{2}} - {6x} + {5\mspace{14mu} \left( {{mod}\ 13} \right)}}} \\{\neq {{m_{3}(x)}.}}\end{matrix}$

7. A High-Dimensional Lattice Attack

To ease notation, in this section we write

m′=pr+m

to denote “plaintext plus randomness.” Thus, m′ has small coefficients,since p is small and r and m have small coefficients. Given kciphertexts

c₁, c₂, . . . , c_(k)

with k>n, we describe a lattice attack on the associated plain-textsm′₁, . . . , m′_(k) in a lattice L satisfying:

${{\dim \mspace{14mu} L} = {kn}},{{\text{Gaussian~~expected}\mspace{14mu} {\lambda_{1}(L)}} \approx {\sqrt{{kn}\text{/}\pi \; e} \cdot q^{1 - \frac{n}{k}}}},{\text{Target~~size} \approx {{\sqrt{n^{2} + {kn}} \cdot p}\text{/}3.}}$

If we ignore the multiplicative structure, than the map

$\left. \frac{_{q}\lbrack x\rbrack}{\left( {f(x)} \right)}\rightarrow\frac{_{q}\lbrack y\rbrack}{\left( {h(y)} \right)} \right.$m(x)mod f(x) ↦ m(φ(y))mod h(y)

defined in (3.2) may be viewed as a linear transformation from

_(q) _(n) to

_(q) _(n) . More precisely, taking 1, x, . . . x^(n−1) and 1, y, . . . ,y^(n−1) as bases, for each 0≤i<n we write

$\left. x^{i}\mapsto{{\varphi (y)}^{i}{mod}\; {h(y)}} \right. = {\sum\limits_{j = 0}^{n - 1}{\alpha_{ij}{y^{j}.}}}$

We let A=(a_(ij)) be the associated matrix. Then, identifyingpolynomials v(x)=v₀+v_(i)x+ . . . +v_(n−i)x^(n−1) with vectors v=(v₀,v₁, . . . , v_(n−1)), the formula

c(y)=m′(ϕ(y)) mod h(y)

becomes

c≡m′A (mod q).

In this formula, the attacker knows c, and she knows that m′ is short,but she does not know A. So there are n²+n unknowns, namely thecoordinates of A and m′, of which n coordinates are small. So thissingle equation does not reveal much information about m′ or A. However,suppose that the attacker has access to a large number of ciphertexts

c₁, c₂, . . . , c_(k).

Writing m′_(i)=(m′_(i0),m′_(i1), . . . ,m′_(i,n−1)), and similarly forc_(i), we form the matrices

$M^{\prime} = {{\left( m_{ij}^{\prime} \right)_{\underset{0 \leq j < n}{{1 \leq i \leq k}\ }}\mspace{14mu} {and}\mspace{14mu} C} = {\left( c_{ij} \right)_{\overset{1 \leq i \leq k}{0 \leq j < n}}.}}$

This gives the formula

C≡M′A (mod q).  (7.1)

The unknown matrix M′ has small entries, so it is a short vector in thespace

^(c×n) of k-by-n matrices having integer coefficients. So we can set upa lattice problem to find M′. Let U be the k-by-n matrix defined by

C=M′A+qU.

Then we have a matrix equation

${\begin{pmatrix}C & {qI}\end{pmatrix}\begin{pmatrix}A^{- 1} \\{{- U}A^{- 1}}\end{pmatrix}} = M^{\prime}$

We observe that the dimensions of these matrices are

${\begin{pmatrix}C & {qI}\end{pmatrix} \in {\mathbb{Z}}^{k \times {({n + k})}}},{\begin{pmatrix}A^{- 1} \\{{- U}A^{- 1}}\end{pmatrix} \in {\mathbb{Z}}^{{({n + k})} \times n}},{M^{\prime} \in {{\mathbb{Z}}^{k \times n}.}}$

The small target matrix M′ thus lives in the known sublattice of

^(k×n) defined by

${L\left( {C,\ q} \right)}:={\left\{ {{\begin{pmatrix}C & {qI}\end{pmatrix}W\text{:}\mspace{14mu} W} \in {\mathbb{Z}}^{{({n + k})} \times n}} \right\} = {{{Image}\left( {{\mathbb{Z}}^{{({n + k})} \times n}\underset{W\mapsto{{({C\mspace{14mu} {qI}})}W}}{\rightarrow}{\mathbb{Z}}^{k \times n}} \right)}.}}$

We have

dim L(C, q)=kn.

We use the notation E_(ij) for a matrix (of the appropriate dimensions)with a 1 in the ij-entry and 0 elsewhere. In order to compute (estimate)the discriminant, we take the images of each of the n²+kn basis matricesin E_(ij)ϵ

^((n+k)×n) and write it as a linear combination of the kn basis matricesE_(ij)ϵ

^(k×n). Thus

E _(ij)

(C qI)E _(ij)=(0 0 . . . 0*0 . . . 0),

where * denotes the i′th column of(C qI), which now occupies the j′thcolumn in the image space. In other words, if we write the columns of Cas (c′₀ c′₁ . . . c′_(n−1)) and let e₁, . . . , e_(k) be the standardbasis vectors in

k, then

${\begin{pmatrix}C & {qI}\end{pmatrix}E_{ij}} = {\overset{\overset{j}{\downarrow}}{\left( {0\mspace{14mu} \cdots \mspace{14mu} \begin{matrix}0 & \begin{matrix}v & {0\mspace{14mu} \cdots \mspace{14mu} 0}\end{matrix}\end{matrix}} \right)}\mspace{14mu} {with}}$$v = \left\{ \begin{matrix}c_{i}^{\prime} & {{{{if}\mspace{14mu} 1} \leq i \leq n},} \\{qe}_{i - n} & {{{if}\mspace{14mu} n} < i \leq {n + {k.}}}\end{matrix} \right.$

In particular, we have

(C qI)E _(ij) =qE _(i−n,j) for all 0≤j<n and all n<i≤n+k.

So among the n²+kn matrices that we know span L(C, q), there are mk ofthem that are q times a basis matrix.

We now view matrices in

^(k×n) as simply being vectors of dimension kn. Then L(C, q) is the rowspan of a (n²+km)-by-kn matrix, so its discriminant is the gcd of thekn-by-kn minors of that matrix. But from our computation, the bottomkn-by-kn block of this matrix is q times the identity matrix. In otherwords, the discriminant of L(C, q) is the gcd of the kn-by-kn minors ofa (n²+kn)-by-kn matrix of the form

$\begin{pmatrix}* \\{qI}_{kn}\end{pmatrix},$

where the top block is n²-by-kn and the bottom block is kn-by-kn. Nowany kn-by-kn block must include at least kn n² rows from the bottomblock, hence its determinant will be divisible by q^(kn−n) ² . (Thisassumes that k≥n.) We have proven that

q^(kn−n) ² |Disc L(C, q).

(In practice, they are likely to be equal, or differ by a very smallfactor.) The Gaussian expected norm of the smallest vector in a latticeL is

γ=γ(L)=√{square root over (dim L/πe)}(Disc L)^(1/dim L),

so for L(C, q) we have

γ=γ(C, q)≈√{square root over (kn/πeq)}^(1−n/k).

On the other hand, the coordinates of the plaintexts are random numbersmodulo p, and the matrix M′ has n²+km entries, so its Euclidean norm isroughly

${M^{\prime}} \approx {\sqrt{n^{2} + {kn}} \cdot {\frac{p}{3}.}}$

Hence the Hermite ratio is

$\frac{\gamma}{M^{\prime}} \approx {\sqrt{\frac{1}{1 + {n/k}}}{\frac{q^{1 - {n/k}}}{p}.}}$

So taking (say) k=2n, the Hermite ratio is roughly p⁻¹√{square root over(q)}. On the other hand, this is in a lattice of dimension 2n², so ifn≥100, then it is unlikely that it will be feasible to run a latticereduction algorithm.

Remark 4. One might make the more conservative assumption that theattacker knows a large number of plaintext/ciphertext pairs

{(m₁, c₁), . . . (m_(k), c_(k))},

but of course we must assume that she does not know the randomquantities r_(i) that were used for encryption; cf. Remark 2. LettingR=(r_(ij)) and M=(m_(ij)), we have

M′=pR+M,

so the matrix equation (7.1) becomes

C=pRA+MA (mod q).

In this formula, the attacker knows C and M, and she knows that R issmall. So she can set up a closest vector problem to find R. The neteffect is ∥R∥≈∥M′∥/p, so the target vector becomes smaller, leading to aHermite ratio of roughly √{square root over (q)}, rather thanp⁻¹√{square root over (q)}.Remark 5. We note that the lattice attack described in this sectionignores two additional pieces of structure. First, the map is a fieldisomorphism between two copies of

_(q) _(n) , not merely a vector space isomorphism between two copies of

_(q) _(n) . Second, the polynomial used to define one of the copies of

_(q) _(n) has small coefficients. It is possible to exploit theseproperties to formulate an attack that requires finding small solutionsto systems of higher degree multivariable polynomial equations, but wedo not see how to use these properties while keeping the attack linear,i.e., a lattice problem.

8. Size Of The Remainder

In this section we investigate the size of the coefficients of theremainder when one polyomial is divided by another. Fix integers m≥n>0.Fix a polynomial

${f(x)} = {{\prod\limits_{i = 1}^{n}\left( {x - \theta_{i}} \right)} \in {{{\mathbb{C}}\lbrack x\rbrack}.}}$

Let

${b(x)} = {\sum\limits_{i = 0}^{m - 1}{b_{i}x^{i}}}$

be chosen with each b_(i) satisfying some probability distribution.Different coefficients may have different distributions, but we assumethat they are independent and have mean 0, which implies that⁴

E(b _(i) b _(i))=E(b _(i))E(b_(j))=0 if i≠j,

while the numbers E(b_(i) ²) depend on the distributions satisfied bythe various b_(i).

We perform division with remainder,

b(x)=f(x)q(x)+r(x) with 0≤deg r<n.

As usual, we view the polynomials as vectors,

b=(b _(o) , . . , b _(m)) and r=(b ₀ , . . , b _(n)).

We let V denote the vanderMonde matrix of the θ_(i)'s,

${V = {\left( \theta_{i}^{j} \right)_{\;_{0 \leq j < n}^{1 \leq i \leq n}} = \begin{pmatrix}1 & \theta_{1} & \ldots & \theta_{1}^{n - 1} \\1 & \theta_{2} & \ldots & \theta_{2}^{n - 1} \\\vdots & \; & \ddots & \vdots \\1 & \theta_{n} & \ldots & \theta_{n}^{n - 1}\end{pmatrix}}},$

and we set

$\theta^{(j)} = {\begin{pmatrix}\theta_{1}^{j} \\\theta_{2}^{j} \\\vdots \\\theta_{n}^{j}\end{pmatrix}.}$

Then we set

${{b(\theta)} = {\begin{pmatrix}{b\left( \theta_{1} \right)} \\{b\left( \theta_{2} \right)} \\\vdots \\{b\left( \theta_{n} \right)}\end{pmatrix} = {\sum\limits_{j = 0}^{m - 1}{b_{j}\theta^{(j)}}}}},$

and similarly for r(θ).

We take the relation b(x)=f(x)q(x)+r(x) and substitute x=θ₁, . . . ,θ_(n). Since f(θ_(i))=0, this gives

r(θ_(i))=b(θ_(i)) for all 1≤i≤n.

With our earlier notation, this is simply the equality of vectors

r(θ)=b(θ).

Now we observe that since r has degree at most n−1, we can write r(θ) as

${r(\theta)} = {{\sum\limits_{j = 0}^{n - 1}{r_{j}\theta^{(j)}}} = {V{r.}}}$

Hence

r=V ⁻¹ b(θ).

We now compute the expected value of ∥r∥² as b(x) varies.

$\begin{matrix}\begin{matrix}{{E\left( {r}^{2} \right)} = {E\left( {{V^{- 1}{b(\theta)}}}^{2} \right)}} \\{= {E\left( {{{\,^{t}b}(\theta)}^{t}V^{- 1}V^{- 1}{b(\theta)}} \right)}} \\{= {E\left( {\sum\limits_{j,{k = 0}}^{m - 1}{b_{k}^{t}\theta^{{(k)}t}V^{- 1}V^{- 1}b_{j}\theta^{(j)}}} \right)}} \\{= {\sum\limits_{j,{k = 0}}^{m - 1}{{E\left( {b_{k}b_{j}} \right)}^{t}\theta^{{(k)}t}V^{- 1}V^{- 1}\theta^{(j)}}}} \\{= {\sum\limits_{j = 0}^{m - 1}{{E\left( b_{j}^{2} \right)}^{t}\theta^{{(j)}t}V^{- 1}V^{- 1}\theta^{(j)}}}} \\{= {\sum\limits_{j = 0}^{m - 1}{{E\left( b_{j}^{2} \right)}{{{V^{- 1}\theta^{(j)}}}^{2}.}}}}\end{matrix} & (8.1)\end{matrix}$

This last formula explains what's going on. If we assume that f(x) isfixed and that deg b(x) is large compared to n=deg f(x), then we obtainthe rough, but useful, estimate

${E\left( {r}^{2} \right)} \asymp {\max\limits_{0 \leq j < m}{\left( {{E\left( b_{j}^{2} \right)} \cdot {\max\limits_{1 \leq i \leq n}{\theta_{i}}^{j}}} \right).}}$

Which term dominates will depend on the relative size of E(b_(j) ²) andmax|θ_(i)|^(j) for 0≤j<m.

In our scenario, we have b(x)=a₁(x). . . a_(t)(x) with deg a_(i)≈n, som≈nt. The coefficients of the a_(i) are uniform and small, so most ofthe coefficients of b are roughly C^(i). Then E(∥r∥²) is roughly C^(t)max|θ^(nt). So in order for decryption to work, we need roughly

q>(C max|θ_(i)|^(n))^(t).

As expected, we get exponential growth in t. But this shows very clearlyhow the largest root of f(x) has a major influence on the required sizeof q.Definition. Let f(x)ϵ

[x] be a manic polynomial and let θ₁, . . . , θ_(n) be the roots of f.We let

${\mathcal{M}(f)} = {\max\limits_{1 \leq i \leq n}{{\theta_{i}}.}}$

This quantity is often called the Mahler measure of f, since it is alsoequal

ℳ(f) = ∫₀¹log f(e^(2π it))dt.

Example 6. Experiments clearly reveal the effect of the size of theroots of f(x). We fixed an f(x) of degree 11, chose 100 polynomials g(x)of degree 32 with random coefficients in [−2, 2] and computed thelargest coefficients of g(x) modulo f(x). We used the polynomials

f ₁(x)=x ¹¹ −x ¹⁰ +x ⁹ +x ⁶ −x ⁶ +x ² −x−1.

f ₂(x)=x ¹¹ +x ¹⁰ +x ⁵ −x ⁴ +x ³ −x ² −x−1.

f ₃(x)=x ¹¹ −x ¹⁰ +x ⁷ +x ⁶ +x ⁵ −x ³ −x ²−1.

Then

ƒ

 (ƒ) Avg |g mod ƒ|∞ St.Dev. |g mod ƒ|∞ ƒ₁ 1.1835 43.420 16.226 ƒ₂ 1.3511352.250 191.452 ƒ₃ 1.4307 1167.720 666.196Example 7. We now consider if there is an advantage in taking thenon-zero coefficients of f(x) to be in the lower degree terms. So wetake f(x) to have the form

f(x)=x ^(n) +{tilde over (f)}(x),

where {tilde over (f)}(x) is random trinary of small degree. Simpleestimates make it clear that such polynomials tend to have smaller rootsthan polynomials whose non-zero monomials have higher degree. In orderto compare with the experiments in Example 6, we took polynomials f(x)of degree 11 with non-zero coefficients on monomials of degree at most4, more precisely, we took

f(x)=x ¹¹ +a ₄ x ⁴ +a ₃ x ³ +a ₂ x ² +a ₁ x−1

with the a_(i) randomly chosen from {±1}. The polynomial

f ₄(x)=x ¹¹ −x ⁴ +x ³ −x ² +x−1

has

(f ₄) =1.18225,

so

(f₄) is comparable to

(f₁) for the f₁(x) in Example 6. For f₄ and 100 samples, we found

Avg|g mod f₄|_(∞)=28.450 and St.Dev. |g mod f₄|₂₈=15.658.

These may be compared with the roughly similar values 43.4 and 16.2 forf₁. A likely reason for the difference is due to secondary effects dueto the other roots. Thus the magnitudes of the roots of f₁ are

-   -   1.18, 1.18, 1.15, 1.15, 1.08, 1.08, 1.00, 1.00, 0.890, 0.890,        0.,        while the magnitudes of the roots of f₄ are    -   1.18,1.18,1.00,1.00,1.00,1.00,1.00, 0.953,0.953,0.888,0.888.        So the second largest root of f₁ is significantly larger than        the second largest root of f₄.

As the formula (8.1) makes clear, the size of the inverse of thevanderMonde matrix V_(f) also has an effect. We list the sup norm andthe spectral radius of V_(f) ⁻¹ for our two example polynomials.

ƒ₁ ƒ₄ Spectral Radius of V_(ƒ) ⁻¹ 7.766 5.522 Sup Norm of V_(ƒ) ⁻¹ 0.6660.263

We note that the remainder coefficients for division by f₁ and f₄resemble one another much more closely than do the remaindercoefficients for division by f₂ or f₃. This suggests that it is not somuch the distribution of non-zero monomials that affects the remaindercoefficients as it is the size of the roots of f. However, if onedesires to find an f with comparatively small roots, it is definitelyadvantageous to select f with non-zero monomials in the lower degreeterms.

Using a Polynomial for p

A product of t plaintexts has the form

$\prod\limits_{i = 1}^{t}{\left( {{p{r_{i}(x)}} + {m_{i}(x)}} \right){mod}\; {{f(x)}.}}$

In order for decryption to be successful, the coerncients of thisreduced product must be in the range −½q to ½q. In this section we lookat the product before reduction modulo f(x) and consider ways in whichto reduce the size of its coefficients. For simplicity, we will taker_(i) and m_(i) to be random trinary polynomials. And as a furthersimplification, we will ignore the m_(i) and just look at products ofthe form

${{A(x)} = {\prod\limits_{i = 1}^{t}{{p(x)}{r_{i}(x)}}}},$

but note that we now allow p be be a polynomial.

We performed experiments with:

p(x)=one of 3, x−2, x ² −x−1, x ³ −x−1, . . . ,

r _(i)(x)=random trinary of degree n−deg p.

We computed the largest magnitude coefficient of the product A(x) for a1000 samples, and then computed the mean and standard deviation of thesemaxima. The results are listed in the Table 2.

TABLE 2 Largest coefficient of A(x) = Πp(x)r_(i)(x) p(x) n t Mean ||A||∞S.D. ||A||∞ 3 21 5 53992.2 23225.6  x − 2 21 5 21037.7 12800.8 x² − x −1 21 5 4622.0 2931.7 x³ − x − 1 21 5 7369.4 5682.6 x⁴ − x² − 1 21 53569.1 2178.1 x⁶ − x³ − 1 21 5 2535.9 1697.1

However, we note that there are some tradeoffs. First, if p(x) isnon-constant, then the degree of r(x) is smaller, which means there isless combinatorial security in the choice of r. So using p(x)=x²−x−1 isprobably not significant, but using p(x)=x⁶−x³−1, or more generallyx^(2k)−x^(k)−1 with larger k, may lead to a larger n that cancels theadvantage of products having smaller coefficients.

Second, decryption ultimately reveals the value of m(x) in the ring

[x]/(p(x), f(x)). So for example, if p(x)=x−2, then one obtains thevalue of m(2) mod f(2), and thus all computations are being done in thering

/f(2)

. In this case, it might be advisable to choose f so that f(2) is prime.Similarly, if p(x)=x²−x−1, then computations are done in the ring

/D

with

D=f(½(1+√{square root over (5)})f(½(1−√{square root over (5)})

1-20. (canceled)
 21. A system comprising: a computing device, thecomputing device configured to encrypt data using a secret isomorphismto generate a first encrypted message; a remote computing device, theremote computing device configured to receive the encrypted message,perform calculations on the first encrypted message without decryptingthe first encrypted message, and send the results back to the computingdevice in second encrypted message; and a network communicativelylinking the computing device and the remote computing device.
 22. Thesystem of claim 21, wherein the network is selected from the groupconsisting of a Local Area Network, a Wide Area Network, a cellularnetwork and a public network.
 23. The system of claim 21, wherein thecomputing device comprises: a processor; a memory; an application; and acryptography engine.
 24. The system of claim 23, wherein the applicationcomprises a computer program that performs one or more functions andinteracts with confidential data.
 25. The system of claim 24, whereinthe confidential data is selected from the group consisting of healthdata, genetic data, security data, and financial data.
 26. The system ofclaim 23, wherein the cryptography engine is configured to encryptunencrypted data decrypt encrypted data.
 27. The system of claim 26, thecryptography engine is further configured to generate a secretisomorphism that is usable to encrypt data and a secret inverseisomorphism that is usable to decrypt data encrypted using the secretisomorphism.
 28. The system of claim 27, wherein the secret isomorphismis from a private-basis ring to a public-basis ring.
 29. The system ofclaim 28, wherein the secret inverse isomorphism is from thepublic-basis ring to the private-basis ring.
 30. The system of claim 27,wherein the remote computing device comprises a services engine.
 31. Thesystem of claim 30, wherein the services engine is configured to performcomputing services for the computing device based on the first encryptedmessage received from the computing device.
 32. The system of claim 31,wherein the computing services include a service to perform calculationson the first encrypted message that are usable in performing geneticanalysis.
 33. The system of claim 26, wherein the cryptography engine isfurther configured to perform leveled homomorphic encryption.
 34. Thesystem of claim 33, wherein the leveled homomorphic encryption imposes alimit on a number of computations that can be performed on ciphertextbefore numerical error overcomes data in the ciphertext.